Here are a few suggestions that can help lawyers with computer security, excerpted from a TLIE CLE course free for insureds entitled Making Lawyers Technologically Competent. These suggestions are not meant to create a standard of care, but are often commonly suggested by security experts and of particular use to lawyers.
Layers of defenses
1. Use care with passwords. The first line of defense for your data is passwords. A few practical steps can lessen the likelihood you will lose your data due to problems with your password.
Lock devices automatically, and manually as needed, when not in use so that a password is required. A password is useless if a computer or phone is not locked when the users is not present. Almost all devices can be set to lock after a period of inactivity. Get in the habit of manually locking when you are not able to see your devices, such as when you leave the room for just a second, so that information is not available to whoever walks by.
Use strong passwords, and increase the strength for cloud based data. Just because a device or website permits less complex passwords is not a reason to think simple. It is always best to avoid only having words in a password, since dictionary based attacks may break them. Having a mix of numbers and symbols helps. Also, length of passwords greatly decreases the possibility of brute force attacks breaking passwords. Finally, look for website applications that limit the number of tries that a user can make before a time out is entered. This greatly reduces the likelihood of password compromise.
Avoid storing passwords in the browser. Modern browsers can encrypted and store passwords so that the user does not need to either type or remember website passwords. However, if a device is breached or left unlocked all the accounts on sites that the user has accessed in the browser that have stored passwords can be compromised.
Avoid Repeating Usernames and Passwords in Different Places. Repeated usernames and passwords are only as good as the least well protected place where they are used. Many databases with usernames and passwords have been compromised throughout the Internet. To check to see if any of your passwords have been compromised, go to https://haveibeenpwned.com/ and check your email. Change those passwords, and any other passwords that are the same.
Use a password database. Because repeated passwords are not safe and it is hard to remember many complex passwords, it is best to use software that can store your many, different passwords. Among the software available is KeePass, LastPass, 1Password and many others. It is not a good practice to keep handwritten notes of your passwords and usernames at your desk where you might inadvertently leave them exposed. Keeping your passwords in Excel or Word without both locking and encrypting the files is just as dangerous in the event someone gains access to your computer.
Two factor authentication. For the most critical accounts on websites, it is best to use two factor authentication. In addition to entering a password, the user will have to verify their identity by providing a code, often sent by email or to a phone number. Use of two factor authentication on cloud based email access and financial websites is particularly important.
2. Use Encryption Wisely. Encryption scrambles data in a manner that makes it very difficult to decipher without a key or keys. Keys often look like passwords, but just because a device or website has a password does not mean that the data on the device or set to the website will be encrypted. When a transmission, file or device is not encrypted, then information can be accessed with simple utilities on most devices. Ultimately, in the cloud, your data is stored on a device. If the data is not encrypted, it could be read by anyone with access to the server where the data is stored.
Encrypt mobile devices and provide for remote wiping. Any laptops, tablets or smart phones with important data should be encrypted. Recent Apple devices are automatically encrypted, while Android and Windows devices permit encryption with settings.
Consider encryption for devices physical in the office. Theft or loss of office devices, such as desktops, servers and thin clients are less likely. For this reason, it may not make sense to routinely encrypt all office devices. However, if may be better to encrypt sensitive information, such as personal and health information. As encryption of devices has improved and caused less delay in the main processing of the data, encryption of office devices is increasing, and may soon become common.
3. Understand basic website and network transmission encryption. As data is sent to and from a website or by email it can be encrypted. URLs beginning with https:// send encrypted data to the website and the data returned is encrypted, though just a few years ago the heartbleed bug compromised this encryption on a large number of websites. When data is encrypted in the transmission between parties, the data is said to be encrypted in transit.
Work with vendors that encrypt data at rest or use “end to end” encryption. Just because data is sent in an encrypted format does not mean that the data will remain encrypted when stored. As we noted before, this creates a potential problem if the storage site is compromised. For this reason, encryption at rest, or at the storage point, is important. If storage at both ends of a transmission is encrypted and there is encryption during transmission, this is called end to end encryption.
Consider requiring all email to be encrypted when sent and received. Email presents a special case for analysis of encryption. In the past, most email transmissions were not encrypted. However, TLS encryption is used by about 90% of email traffic. The problem is that many email senders are set to use opportunistic encryption. This means that if the other side of the transmission is encrypted, then encryption will be used, if not, no encryption will be used. It is now possible to force email servers to only send and receive encrypted email. The concern for enabling encryption in both directions, from a practical standpoint, is that a few emails may not come through from the minority of email servers that do not encrypt appropriately.
Client portals can easily encrypt in transit without question. Providing clients with documents and other information through a client portal can eliminate the need from email transmission of sensitive data. These may be included as part of a case management system such as Clio or Rocket Lawyer, or simply be a file sharing website with encrypted storage and the ability to create client passwords. Clients and lawyers sign in to a website to upload and download documents with encryption.
This is a sampling of the information to be provided in the course. The course also provides information on the following:
• Locking down computers to prevent unintended software installation
• Using anti-virus, ransomware protection, web filters, email filters and firewalls to reduce risk
• Proper backup procedures
• Proper vetting of technology vendors
• What is social engineering and how can it be defeated
• Proper content of electronic communications
• Keeping up with changes in technology
• Security testing and advising